You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2012/06/10 21:50:25 UTC
svn commit: r1348653 - in /httpd/httpd/trunk: docs/conf/extra/httpd-ssl.conf.in modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h

Author: sf
Date: Sun Jun 10 19:50:25 2012
New Revision: 1348653

URL: http://svn.apache.org/viewvc?rev=1348653&view=rev
Log:
Add some improvements as suggested by Kaspar

- expand comment in config file
- check username == NULL
- detect SRP support via SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB, not via openssl
  version
- rename rv variable

Modified:
    httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
    httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
    httpd/httpd/trunk/modules/ssl/ssl_private.h

Modified: httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in (original)
+++ httpd/httpd/trunk/docs/conf/extra/httpd-ssl.conf.in Sun Jun 10 19:50:25 2012
@@ -159,8 +159,10 @@ SSLCertificateKeyFile "@exp_sysconfdir@/
 
 #   TLS-SRP mutual authentication:
 #   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
-#   file (containing login information for SRP user accounts). See
-#   the mod_ssl FAQ for instructions on creating this file.
+#   file (containing login information for SRP user accounts). 
+#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+#   detailed instructions on creating this file. Example:
+#   "openssl srp -srpvfile @exp_sysconfdir@/passwd.srpv -add username"
 #SSLSRPVerifierFile "@exp_sysconfdir@/passwd.srpv"
 
 #   Access Control:

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_init.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_init.c Sun Jun 10 19:50:25 2012
@@ -532,7 +532,7 @@ static void ssl_init_ctx_tls_extensions(
      * TLS-SRP support
      */
     if (mctx->srp_vfile != NULL) {
-        int rv;
+        int err;
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02308)
                      "Using SRP verifier file [%s]", mctx->srp_vfile);
 
@@ -545,10 +545,10 @@ static void ssl_init_ctx_tls_extensions(
             ssl_die();
         }
 
-        rv = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
-        if (rv != SRP_NO_ERROR) {
+        err = SRP_VBASE_init(mctx->srp_vbase, mctx->srp_vfile);
+        if (err != SRP_NO_ERROR) {
             ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02310)
-                         "Unable to load SRP verifier file [error %d]", rv);
+                         "Unable to load SRP verifier file [error %d]", err);
             ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
             ssl_die();
         }

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Sun Jun 10 19:50:25 2012
@@ -2254,7 +2254,8 @@ int ssl_callback_SRPServerParams(SSL *ss
     char *username = SSL_get_srp_username(ssl);
     SRP_user_pwd *u;
 
-    if ((u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
+    if (username == NULL
+        || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) {
         *ad = SSL_AD_UNKNOWN_PSK_IDENTITY;
         return SSL3_AL_FATAL;
     }

Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1348653&r1=1348652&r2=1348653&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sun Jun 10 19:50:25 2012
@@ -186,10 +186,12 @@
 #endif
 
 /* SRP support came in OpenSSL 1.0.1 */
-#if (OPENSSL_VERSION_NUMBER < 0x10001000)
-#define OPENSSL_NO_SRP
-#else
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
 #include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
 #endif
 
 /* mod_ssl headers */